[Mageia-discuss] Current java plugin with security hole?

TJ andrewsfarm at gmail.com
Sun Apr 1 02:59:38 CEST 2012


On 03/29/2012 03:51 AM, Wolfgang Bornath wrote:
> 2012/3/29 Luc Menut<lmenut at free.fr>:
>> Le 29/03/2012 09:30, Oliver Burger a écrit :
>>
>>> Am 29.03.2012 09:22, schrieb Wolfgang Bornath:
>>>>
>>>> The page gives a link to a test routine at java.com where you can test
>>>> which version is installed on your machine. For my Mageia 1
>>>> installation with firefox the test shows "Your Java version: Version
>>>> 6 Update 26" - which matches the installed package
>>>> (java-1.6.0-sun-plugin-1.6.0.26-0.2.mga1.nonfree).
>>>>
>>>> Recommended is "version 6 update 31". But this is not available yet at
>>>> Mageia.
>>>>
>>>> - will there be a security related update for Mageia 1?
>>>> - if not, should we use the recommended newer version from java.com
>>>> (rpm packages available for 32 and 64 bit)
>>>
>>> Afaik oracle has withdrawn the redistribution license for all newer java
>>> versions.
>>> But I'm not sure if only java>= 1.7 is concerned or java>  1.6.0.26.
>>
>>
>> java-1.6.0-sun>  1.6.0.26 is concerned too.
>> http://jdk-distros.java.net/
>> http://robilad.livejournal.com/90792.html
>> https://bugs.mageia.org/show_bug.cgi?id=3101
>
> Ah, missed the bug report on this - but this only shows that the
> average "non-mailing-list-reader" may not know about the issue at all.
>
> Step 1: action ASAP as suggested in the bug report comment #13
> ("update" the version in mga1 repos with a README.urpmi)
> Step 2: after this is done give out a related warning (mailing list, forum).
>
> As Dave Hodgins wrote in Bugzilla: "It may be bad for beginner users,
> but it's worse to leave them
> with insecure software that is being actively exploited."
>
FWIW, I had one site I use frequently (a weather radar loop) that used 
to complain (I'm thinking this was about three years ago) if I didn't 
use Oracle(Sun) Java, so I had Oracle's JRE 1.7.2 installed. It worked 
fine, but because of the license problem and the bigger bother to 
install it I tried the iced tea-web package again. It too now works just 
fine with that fussy page.

In fact, I like it better. JRE would wait until the entire loop was 
downloaded before displaying anything, but the iced tea plugin displays 
frames as they are downloaded. That's important for my impatient 
brother, as if there's too much delay before something displays, he 
starts thinking something's gone wrong.

TJ



More information about the Mageia-discuss mailing list